PROVEST: Provenance-based Trust Model for Delay Tolerant Networks Jin-Hee Cho, Ing-Ray Chen

1. Introduction Introduction | Method | Evaluation

What is Disruption Tolerant Networks (DTN) There is no guarantee of end-to-end connectivity, thus causing high delay or disruption due to inherent characteristics or intentionally misbehaving nodes Examples: smart environments, habitat monitoring, and vehicular ad- hoc networks

What do we expect DTN behaves Achieve accurate peer-to-peer trust assessment Maximize the delivery of correct messages received by destination nodes Minimizing message delay and communication cost under resource- constrained network environments

A challenge Nodes are sparsely scattered in DTN and do not often encounter each other The lack of direct interaction experience in DTN environments hinders continuous evidence collection and can result in incorrect trust estimation, leading to poor application performance.

Provenance “lineage” or “pedigree,” Describing the origins of a piece of data and how the data achieves the current state Can be think as another communication method, an indirect method

Challenge of using provenance It must defend against attackers who may modify or drop messages including provenance information or disseminate fake information

Network model Information: source nodes (SNs) ==> destination node (DNs) “store-and-forward” technique: a node carries messages until it encounters a message carrier (MC)

2. Method Introduction | Method | Evaluation

PI (SN) ==> destination node (DN) Pi;k representing the PI provided by i with its direct trust opinion towards the previous MC = Oi;k(t) is I’s direct trust opinion towards the attack behaviors (i.e., ID, fake recommendation, and message modification attacks), and remaining energy level of k

Peer-to-peer trust estimation r: amount of positive evidence s: amount of negative evidence initiated with r = 1 and s = 1 Derived from either: direct evidence based on observations or indirect evidence (PI)

Uncertainty of evidence - u Direct evidence: can be failed due to unreliable link or short contact time Indirect evidence: false evidence will not be used. Three scores: r, s, u Accumulated evidence from the past and new evidence How to aggregate?

Trust Aggregation PROVEST-Pessimistic PROVEST-Optimistic PROVEST-Realistic PROVEST-Hybrid The value of each trust dimension is aggregated based on accumulated evidence from the past and the new evidence

PROVEST-Pessimistic Treats uncertain evidence as negative evidence based on the nature of trusting less under no correct evidence available i to refer to a trustor (i.e., evaluator) and j to refer to a trustee (i.e., evaluatee).

PROVEST-Optimistic Treats uncertainty as credits based on the nature of trusting more

PROVEST-Realistic Only relies on evidence available by ignoring the uncertain evidence If no new evidence is available, it does not update trust

PROVEST-Hybrid Leveraging the three schemes above It determines how to deal with uncertain evidence based on historical patterns of the amount of evidence

Trust Dimensions Availability Direct trust Integrity Indirect trust × Competence Direct trust Indirect trust ×

Direct availability trust Direct availability trust is measured by whether a node is available to serve requests by exchanging a simple message to ensure connectivity. Replies: (1,0,0) No replies: (0,1,0)

Direct integrity trust Direct integrity trust is measured based on whether a node exhibits three attack behaviors: identity attack, fake recommendation attack, and message modification attack Each exhibiting attack behavior is counted as evidence r+s+u=3

Direct competence trust Energy status + cooperativeness behavior r+s+u=2

Indirect availability trust Positive (1,0,0) if (1) node j’s ID is enclosed in j’s PI; (2) node j’s ID is authentic by ensuring that j’s ID inserted by j in j’s PI matches with j’s ID inserted by j’s next MC in the next PI; (3) both j’s previous MC and j have a trust value above the minimum trust threshold based on i’s evaluation

Indirect integrity trust Also three pieces of evidence: identity attack, fake recommendation attack, and message modification attack If PI is inserted: j’s next MC’s trust value (in the last trust update) > threshold For each evidence r+s+u=3

Indirect competence trust Also energy status + cooperativeness behavior If PI is inserted: j’s next MC’s trust value (in the last trust update) > threshold For each evidence r+s+u=2

3. Evaluation Introduction | Method | Evaluation

Metrics - Trust Bias Time-averaged difference between: trust of node j evaluated by node i and objective trust of node j evaluated by all encountered nodes based on direct observations with no detection errors. ground truth Trust value of node j on property X evaluated by node i at time t

Metrics - Mission message correctness Fraction of the number of packets received by DNs correctly over the total number of messages transmitted by SNs during LT. I is a set of messages received by DNs and the k nodes are intermediate MCs delivering message m. m: message K is a set of all intermediate MCs involved in delivering each message m.

Metrics - Message delay Dm is the delay (sec.) occurred for message m to be delivered to the DN. I is a set of messages sent by SNs to DNs

Metrics - Communication cost Ce(t): number of messages for a node to deal with trust evaluation Cd(t): number of messages for a node to deal with message delivery LT: entire mission lifetime

Experimental Setup 20 nodes Communication range: 100m Speed: uniform distribution with the range of [1,15] Packet forwarding probability: Pf Packet dropping probability: 1-Pf Number of SN-DN pairs: 20 And so on

STOCHASTIC PETRI NETS

Trust Bias of PROVEST

Performance of PROVEST

Comparing methods Trust-based Non-trust-based PROVEST (and its variants) Encounter-based Iterative Trust Reputation Mechanism (ITRM) Non-trust-based epidemic (e.g., flooding) ProPHET (e.g., connectivity-based delivery prediction)

Comparing Results We found that the provenance-based approach (i.e., PROVEST-Hybrid) significantly reduces the communication cost while maintaining a high correct message delivery ratio, compared to Epidemic, ITRM, Encounter-based, and PRoPHET

Conclusion Direct method Intrinsic properties of DTN: Two methods Indirect method (PI) 1. Sparse nodes 2. Various attacks Introduce u Four variants 3. no guarantee connectivity 4. Inherent problems Three dimensions

Thank you